Categories

Open

In the early days of the internet, communication was by email. Originally siloed by companies like Compuserve, AT&T and Sprint so that messages could only be exchanged with others on the same system, email is now ubiquitous. Pretty much anyone can communicate with anyone else without worrying about app or device or browser.

Today there are additional methods of communicating via the internet, such as chat and voice. These new methods, however, are currently similar to early email: siloed by different vendors so that users can communicate only with other users on the same system. Matrix.org aims to change this, so that any user on one system can communicate with any user on a different system; just like email today.

Matrix is an open standard for interoperable, decentralized, real-time communication over IP. It can be used for any type of IP communication: IM, VoIP, or IoT data. One system already operating on Matrix is the open team collaboration app, Riot. While Riot is described as "a simple and elegant collaboration environment that gathers all of your different conversations and app integrations into one single app," it can actually communicate with any user anywhere in the Matrix ecosphere.

The Matrix organization has not adopted the usual method of approaching all the big companies and trying to get the world to adopt Matrix. Instead, technical co-founder Matthew Hodgson told SecurityWeek, "We're just building it -- putting it out there on the internet as a de facto standard, and we then go and build bridges through to the existing communities. We've already got bridges through to Slack and to Skype and to IRC and various other online communities. Since the entire thing is open source, we're also getting contributors from all round the world building bridges to their own systems; such as Ericsson building bridges into their own infrastructure. Or it could be contributors who write their own bridge to link something like Telegram or Twitter -- and they basically act as a bridge to link existing silos into matrix. It's a very pragmatic way of solving the problem."

This still requires cooperation from the vendors. New companies like Slack are often open to cooperation, but larger companies like Microsoft (Skype) are not necessarily so. However, the Nadella Microsoft seems to be far more pragmatic than the Ballmer Microsoft.

"They've not fundamentally changed their spots," said Hodgson, "but at least superficially there's much more openness to this sort of technology; and the reality is that Skype is on the back foot, hemorriging users. Microsoft could do with any help it can get in trying to regain the 'cool' factor and market share. It has actually been very positive in letting us integrate with Skype. We haven't integrated Skype into Matrix, but we're in conversation -- especially since Skype is turning into a platform itself, and Microsoft realizes there is a problem of reach for its O365 customers (who have their own teams using Slack and other 'silos'). Matrix is the only common ground that can be used to link these different apps together."

He said that the only pushback Matrix has had so far has been from Facebook, "unsurprisingly," he added, since they are the incumbent and want to keep their monopoly as long as they can. But literally everyone else is amenable to pooling resources to make the world a better place. Matrix is the necessary counterbalance that can maintain the openness of the internet against monopolistic designs of big organizations."

However, the matrix itself is not enough: users, especially enterprise users, need to trust the privacy of their communications. The solution is the new beta launch of Olm encryption.

"E2E encryption is particularly important to Matrix where its decentralized nature means that a conversation can end up replicated over thousands of different servers. When the participant 'rooms' are public, that's not a problem. But if they're private rooms you get a huge attack envelope where you basically just blindly trust all of the server admins not to snoop on the content of the room."

"In practice, he added, it's not much different to email. If I send an email to 1,000 people, it could end up on 1,000 different mail servers. But with Matrix we can and should do better. We've spent the last two years building our E2E encryption, so that if I send a message to someone on Matrix it is never stored unencrypted on any of the servers, and it can only be decrypted by the participants. It's much like WhatsApp and Allo; but we are the only one that is decentralized and not dependent on a silo or walled garden like Signal. We think it's the perfect storm for communications, combining encryption with decentralization."

To this end, Matrix has announced and launched the formal beta of the new Olm end-to-end encryption implementation across Web, iOS and Android. “With Matrix.org and Olm," commented Hodgson, "we have created a universal end-to-end encrypted communication fabric -- we really consider this a key step in the evolution of the Internet."

Olm is the Matrix implementation of the Double Ratchet algorithm designed by Trevor Perrin and Moxie Marlinspike. It was chosen, explained Hodgson in a blog post Monday, "in its capacity as the most ubiquitous, respected and widely studied e2e algorithm out there – mainly thanks to Open Whisper Systems implementing it in Signal, and subsequently licensing it to Facebook for WhatsApp and Messenger, Google for Allo, etc."

Olm has been reviewed by NCC Group (PDF). In keeping with its open philosophy, Matrix has ensured this review is available online. Several issues were discovered by NCC, including one high risk and one medium risk. The most exotic of these was an 'unknown key share attack'. "Needless to say," wrote Hodgson, "all of these issues have been solved with the release of libolm 2.0.0 on October 25th and included in today’s releases of the client SDKs and Riot."

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

The 2016 Open Source Jobs Report released earlier this year by Dice and The Linux Foundation analyzed trends for open source careers and the motivations of professionals in the industry. Now, the data have been broken down to focus specifically on European open source professionals, and how they compare to their counterparts around the world.

This is the fifth year Dice and The Linux Foundation have partnered to produce the jobs report. The four previous years’ research focused exclusively on the job market for Linux professionals, but this year’s installment looks at the broader category of open source professionals. Overall trends between Europe and the world are generally similar, but show that open source careers may be even more in demand and rewarding in Europe than the rest of the world.

“Demand for open source talent is growing and companies struggle to find experienced professionals to fill open roles,” said Bob Melk, president of Dice. “Rising salaries for open source professionals indicate companies recognize the need to attract, recruit and retain qualified open source professionals on a global scale. Regardless of where they reside around the world, these professionals are motivated by the opportunity to work on interesting projects.”

European confidence is high

Europeans are more confident than their global counterparts in the open source job market. Of over one thousand European respondents, 60 percent believe it would be fairly or very easy to find a new position this year, as opposed to only 50 percent saying it would be easy globally.

In fact, 50 percent of Europeans reported receiving more than 10 calls from recruiters in the six months prior to the survey, while only 22 percent of respondents worldwide reported this level of engagement. While worldwide 27 percent of respondents received no calls at all from recruiters, only five percent of Europeans said the same.

The most in-demand skills

Application development skills are in high demand in Europe. Twenty-three percent of European open source professionals reported application development as the most in-demand skill in open source – higher than any other skill. Globally, only 11 percent identified application development as the most in-demand skill, second behind DevOps at 13 percent. DevOps was second among Europeans at 12 percent.

Retaining staff

Employers in Europe are offering more incentives to hold onto staff. Forty percent of European open source professionals report that in the past year they have received a raise, 27 percent report improved work-life balance, and 24 percent report more flexible schedules.

This compares to 31 percent globally reporting raises, and 20 percent globally reporting either a better work-life balance or more flexible work schedules. Overall, only 26 percent of Europeans stated their employer had offered them no new incentives this year, compared to 33 percent globally.

What differentiates open source jobs?

Open source professionals enjoy working on interesting projects more than anything. European open source professionals agreed with their global counterparts that the best thing about working in open source is the ability to work on interesting projects, at 34 percent (31 percent globally). However, while respondents around the world said the next best things were working with cutting-edge technology (18 percent) and collaboration with a global community (17 percent), European professionals selected job opportunities second at 17 percent, followed by both cutting-edge technologies and collaboration tied at 16 percent each. Five percent of European respondents said money and perks are the best part of their job, more than double the two percent who chose this response worldwide.

“European technology professionals, government organizations and corporations have long embraced open source,” said Jim Zemlin, executive director at The Linux Foundation. “The impressive levels of adoption of and respect for open source clearly have translated into more demand for qualified open source professionals, providing strong opportunities for developers, DevOps professionals and others.”

The findings of the annual Open Source Jobs Report are based on survey responses from more than 4,500 open source professionals worldwide, including 1,082 in Europe.

The Arduino team is using Kickstarter to crowdfund their latest project: the ESLOV IoT Invention Kit.

ESLOV is a system of intelligent modules that can be connected in an endless variety of ways, and is meant to simplify the creation of Internet-connected devices.

The connected modules are plugged into a Wi-Fi and motion hub, which will connect the device (project) to the Internet. Then, the hub has to be connected to the user’s PC so that it can be programmed.

Programming it is extremely easy, though – in fact, no actual programming knowledge is required. By using the ESLOV’s visual code editor, which recognises the modules automatically, the user needs to simply draw connections between them, and the device is ready to be used.

Once the device is connected to the Arduino cloud, the user can control it and interact with it from anywhere, via a computer or smartphone, through a user-friendly interface.

The ESLOV kit consists of the wireless hub and 25 modules. The team welcomes third-party modules – design files and documentation for all modules will be made publicly available, to make it easier for creative people to design and create their own.

The Arduino team needs to raise $ 500,000 to finish the development and production of the ESLOV kit. Potential funders can choose to receive kits of different sizes, priced from $ 49 (you receive just the Wi-Fi hub) to $ 499 (PRO kit: Hub + 22 modules). The various kits can also be combined.

Delivery of the hardware to the backers is scheduled for June 2017.

More technical information can be head on the Kickstarter project page or this blog post.

The Apache Spot project was announced at Strata+Hadoop World on Wednesday, Sept. 28, 2016.

Credit: Katherine Noyes

Thank you

Your message has been sent.

Sorry

There was an error emailing this page.

By Katherine Noyes

IDG News Service|Sep 28, 2016

Hard on the heels of the discovery of the largest known data breach in history, Cloudera and Intel on Wednesday announced that they've donated a new open source project to the Apache Software Foundation with a focus on using big data analytics and machine learning for cybersecurity.

Originally created by Intel and launched as the Open Network Insight (ONI) project in February, the effort is now called Apache Spot and has been accepted into the ASF Incubator.

"The idea is, let's create a common data model that any application developer can take advantage of to bring new analytic capabilities to bear on cybersecurity problems," Mike Olson, Cloudera co-founder and chief strategy officer, told an audience at the Strata+Hadoop World show in New York. "This is a big deal, and could have a huge impact around the world."

Based on Cloudera's big data platform, Spot taps Apache Hadoop for infinite log management and data storage scale along with Apache Spark for machine learning and near real-time anomaly detection. The software can analyze billions of events in order to detect unknown and insider threats and provide new network visibility.

Essentially, it uses machine learning as a filter to separate bad traffic from benign and to characterize network traffic behavior. It also uses a process including context enrichment, noise filtering, whitelisting and heuristics to produce a shortlist of most likely security threats.

By providing common open data models for network, endpoint, and user, meanwhile, Spot makes it easier to integrate cross-application data for better enterprise visibility and new analytic functionality. Those open data models also make it easier for organizations to share analytics as new threats are discovered.

Other contributors to the project so far include eBay, Webroot, Jask, Cybraics, Cloudwick, and Endgame.

“The open source community is the perfect environment for Apache Spot to take a collective, peer-driven approach to fighting cybercrime,” said Ron Kasabian, vice president and general manager for Intel's Analytics and Artificial Intelligence Solutions Group. “The combined expertise of contributors will help further Apache Spot’s open data model vision and provide the grounds for collaboration on the world’s toughest and constantly evolving challenges in cybersecurity analytics.”

Thomas Claburn

Get email alert when this author posts

Common Topics

Recent Articles

Ignite Microsoft's conviction that "fuzzing in the cloud will revolutionize security testing," voiced in a research paper six years ago, has taken form with the debut of Project Springfield: an Azure-based service for identifying software flaws by automatically subjecting the code to bad input.

Introduced at the Ignite conference in Atlanta, Georgia, on Monday, Project Springfield offers developers the ability to conduct continuous testing of binary files on virtual machines running atop Microsoft Azure, in order to identify and eliminate bugs.

Allison Linn, self-described writer and storyteller for Microsoft, says that Microsoft's research team thinks about Project Springfield as a "million-dollar bug detector" (not to be confused with the Million Dollar Homepage) because some software bugs cost that much to fix if left too long. Your costs may vary.

A 2002 study released by the US National Institute of Standards and Technology estimated that software bugs cost the US economy between $ 22.2 and $ 59.5 billion annually (more like $ 79 billion today). Catching bugs before software gets released presumably can bring repair costs down, if that's your goal.

Microsoft insists a third of the "million dollar" security bugs in Windows 7 were found using its "whitebox fuzzing" technology, referred to internally as SAGE (scalable, automated, guided execution). SAGE is one of the components of Project Springfield.

Like other announcements echoing around Silicon Valley these days, artificial intelligence comes into play. Microsoft says its system employs AI to ask questions and make better decisions about conditions that might cause code to crash.

Microsoft's whitebox fuzzing algorithm symbolically executes code from a starting input and develops subsequent input data based on constraints from the conditional statements it encounters along the way. The technology is distinct from blackbox fuzzing, which involves the sending of malformed input data without ensuring all the target paths have been explored. Blackbox fuzzing thus has the potential to miss a critical test condition by chance.

Fuzzing lends itself to cloud computing because fuzzing software can run different tests in parallel using large amounts of available infrastructure. But Microsoft researchers Patrice Godefroid and David Molnar, in their 2010 research paper, argue that such computational elasticity matters less than the benefits of shared cloud infrastructure.

"Hosting security testing in the cloud simplifies the process of gathering information from each enrolled application, rolling out updates, and driving improvements in future development," they wrote.

At the G20 summit on Tuesday, President Obama said he had been talking to other heads of state about cybersecurity and avoiding a potential cyber arms race, but experts say it may be too late.

President Obama said nations should focus more on the dangers of non-state actors rather than repeating the mistakes of the Cold War in cyberspace. However, President Obama also began his comments by claiming the U.S. has more cyber "capacity than any other country, both offensively and defensively."

Experts said comments like this and the constant attribution of cyberattacks to countries like Russia and China are proof that the cyber arms race has already begun.

Michael Patterson, CEO of Plixer, said the cyber arms race is close to 10 years old at this point.

"The cyber arms race is on and has probably been accelerating since before the 2008 explosion on the Baku-Tbilisi-Ceyhan oil pipeline in Turkey that is thought to have been perpetrated by the Russians," Patterson told SearchSecurity, although the attribution of that attack to Russia has since come under question. "It was the United States and Israel that launched the Stuxnet attack in 2010 against Iran. Everyone better believe that the race is on and has been for a while."

Dwayne Melancon, vice president of products for Tripwire, said it is unlikely that a cyber arms race would develop into a cyber-Cold War simply because nations won't hesitate to use their cyberweapons.

"If this truly becomes a cyber arms race akin to the nuclear arms race that would mean nations would develop weapons, use them to threaten other nations, and almost never use them to attack. However, I don't think that is what will happen with cyber arms -- I think they'll be used anyway," Melancon told SearchSecurity. "After all, the perceived consequence and damage seems much less outrageous when you think of cyber arms, at least at face value. Of course, cyber security researchers know that cyber weapons could cause death, destruction and chaos if deployed against critical infrastructure, systems affecting public safety, and so forth."

From cyber arms race to cyber-Cold War

John Dickson, former U.S. Air Force CERT and principal of Denim Group Ltd., based in San Antonio, said he thinks we're already in a cyber-Cold War -- though he would like a better term for it -- and to the point where a cyberattack could prompt a physical response, which pushes the need for more accurate cyber attribution.

"I'm not sure we've seen a case to date where physical destruction caused by a cyberattack was serious enough where a nation state would seriously consider striking back with what the military calls a 'kinetic' attack, or via conventional warfare," Dickson told SearchSecurity. "I suspect that will likely happen at some point, which is when incorrect attribution will really be substantially more critical. If terrorists or nation states brought down an airliner or opened up a dam causing downstream death and destruction, there would likely be pressure to retaliate in the physical realm with military force. If we, or another nation state, misread attribution, the results could be potentially devastating and could escalate to a much larger military conflict."

Brian NeSmith, the CEO of Arctic Wolf Networks, Inc., said there is no such thing as a cyber-Cold War.

"In preparation for a cyberwar, nations would be penetrating an adversarial nation's critical infrastructure and planting cyber-nuclear bombs," NeSmith said. "In a cyberwar, the 'invasion' would occur way in advance of the actual attack, and there would likely be no time to mount a defense before critical infrastructure is destroyed and real lives lost."

Jonathan Sander, vice president of product strategy for Lieberman Software, said the steps toward a cyber-Cold War may have already begun.

"One could say that the separation likely to result from a cyber-Cold war has already begun in the form of the 'Great Firewall of China,'" Sander told SearchSecurity. "The Chinese attempt to sever its cyber ties has many analogs to the USSR's iron curtain -- complete with resistance fighters, defections (both information and people), and espionage bringing things through the wall now and then."

Sander added that it may be impossible to imagine the political aspects of a cyber-Cold War, but the social impacts are easier to imagine.

"During the first Cold War, we saw some of the greatest physicists in the world stuck on [the] opposing side of an iron curtain. Science thrives on collaboration, and separation can be devastating to overall progress," Sander said. "With some of the greatest minds in computer science spread throughout all of the major players, and bitter rivals, that would be on sides of this cyber-Cold War, the chilling effects on overall progress may be a predictable outcome."

John Bambenek, manager of threat systems at Fidelis Cybersecurity, said a cyber-Cold War could be advantageous because it would force people to prepare for cyberattacks.

"In a cyber-Cold War scenario we would be spending real time and effort in securing our systems and educating the public in the very simple things they can do to protect themselves -- patching systems, avoiding phishing," Bambenek told SearchSecurity. "The hacking of the Illinois State Board of Elections, for instance, could have been prevented by the most basic SQL injection prevention techniques. What we have now is open conflict and the time for preparation is over."

The risks of faulty cyber attribution

Cyber attribution methods recently came under fire after confusion as to who was responsible for the DNC hack with some experts saying cyber attribution was an impossible task while others said the key was in human intelligence gathering and not focusing too much on technical evidence, which can be spoofed.

Melancon said the cyber arms race "is a perilous path for nations to walk -- and the error-prone nature of attribution make it even more perilous" because cyber attribution is "extremely hit or miss."

"It is unlikely you'll know exactly who the perpetrators are unless they are: careless; not very good; or really want you to know they did it," Melancon said. "Often, security investigators arrive at conclusions like, 'I really think so-and-so did it,' but most of the time the evidence is insufficient to know for sure."

Patterson said being accurate with cyber attribution is currently difficult and may even be an "impossible task."

"Attackers often bounce from one country to the next before launching an attack. Hackers purposely put comments in their code to imply a different language other than their native tongue," Patterson said. "No one wants to get caught and cybercrime makes it relatively easy to cover your tracks."

Dickson said the only way to truly confirm cyber attribution as accurate would be to reveal "certain intelligence collection sources and methods to do so."

"Recall that during the Cuban Missile Crisis -- the U.S., at the United Nations Security Council, revealed compelling photo reconnaissance evidence that the Soviet Union had deployed certain ballistic missiles in Cuba. The downside of providing this evidence was that it provided certain adversaries insight into our national photographic intelligence collection capabilities," Dickson said. "If the United States were really interested in blaming the Russians or Chinese on a particular intrusion, they would risk revealing certain intelligence sharing relationships, national capabilities, and overall context that would provide more insight for subsequent attackers."

Sander said the Cold War shows a "perfect example of what the cyber-Cold War could bring if there was an incorrect attribution.

"In 1979, NORAD nearly reacted with deadly force to a software glitch that, a bit too much like the movie War Games, mistook a simulation for a real attack," Sander said. "If an attribution makes the powers-that-be think it's an enemy attack and not some bad guys doing cybercrime, then they may go a step further than they did in 1979 and hit the big red button. One hopes that in a cyberwar the red button means letting loose cyber weapons and not nuclear devastation. But it's also good to remember that cyber systems control all our power, water, heating, and even nuclear facilities today."

Sander said even if cyber attribution could accurately identify who performed the attack, that doesn't necessarily translate to knowing if the attacker was hired by someone else.

"Pinning down the attribution of cyberattacks so you know exactly who is behind them is much more art than science right now. And often it's the art of politics," Sander said. "The trouble is that even if you get the technology parts of attribution perfectly, which is a massive challenge, you may still not know who was behind the attack. The bad guys often call in cyber contractors. If you can somehow manage to get past all the evasion and misdirection of professional cyber criminals, then you have only found the fingers on the keyboard not the mastermind."

NeSmith said, "Incorrect attribution is like pronouncing someone guilty when in fact they are innocent. It can only lead to ill will and get in the way of what's really needed, which is a productive dialogue, collaboration and a common set of rules everybody will follow."

Next Steps

Learn more about DoD security panels calling for new cyber-defense and offense.

Find out how we lost the plot of the decade-old "cool" cyberwar.

Get info on Microsoft's calls for an independent body to address cyber attribution.

What are Network Management Systems?

Network Management Systems are used for discovering, managing and monitoring various devices on a network (e.g. routers, switches, desktops, printers, etc.). They usually use the Simple Network Management Protocol (SNMP) to format and exchange management messages, and it’s exactly through this protocol that these systems can be attacked.

“These systems are attractive targets for attackers looking to learn more about new environments. A compromised NMS can serve as a treasure map, leading attackers to the most valuable — and perhaps non-obvious — targets, such as the printer that is responsible for payroll runs, or HR’s central server containing personally identifiable information on the employee base,” the researchers noted.

“Besides, why spend time and risk detection by scanning the network from a compromised system controlled by the attacker, when one could just piggyback on a working NMS that’s already designed to monitor the entire network population?”

The vulnerabilities

The vulnerabilities they found can all be exploited through three distinct attack vectors:

XSS attacks over SNMP agent-provided data

XSS attacks over SNMP trap alert messages (which are sent by SNMP agents to notify the network manager of any status change)

Format string processing on the NMS web management console (practically all modern NMSs are managed through them).

The first type of attack can be mounted by introducing a new device on the network. The NMS “discovers” it, and identifies it via SNMP data supplied by it. This data is displayed in the systems’ web-based console and can trigger an XSS attack. This type of attack requires a local attacker to be able to add a malicious device to the network.

The second type can be mounted by injecting Flash into easily spoofed SNMP trap messages that will be delivered to the management console, allowing an XSS attack string to be embedded in it. The attacker must occupy a position on the network.

The third one can also be launched via spoofed and specially crafted trap alert messages.

For more details about each of the vulnerabilities, consult this blog post.

The good news is that all the found flaws have already been patched, and users of the aforementioned products can download security updates with the fixes.

Description

The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

An incomplete fix for this issue was released as part of SA-CORE-2015-002.

CVE identifier(s) issued

Versions affected

Drupal core 7.x versions prior to 7.41.

Solution

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal 7.41

Also see the Drupal core project page.

Reported by

Samuel Mortenson

Pere Orga of the Drupal Security Team

Fixed by

Pere Orga of the Drupal Security Team

David Rothstein of the Drupal Security Team

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity